System for enterprise digital rights management

ABSTRACT

The present subject matter relates to devices and methods for enterprise digital rights management. In one implementation, a device includes a security module configured to generate a security key. The security module encrypts at least one document of a user, using the security key, to generate a protected document. Further, the device includes an access control module configured to assign an access right to one or more users within an enterprise for accessing the protected document. The access control module is further configured to delegate the access right from the user to another user. The access control module is furthermore configured to lock at least one of the user and the protected document.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims priority under 35 U.S.C. §119 to IndianApplication No. 1162/MUM/2011, filed on Apr. 6, 2011, the entirety ofwhich is incorporated herein by reference.

TECHNICAL FIELD

The present subject matter relates, in general, to digital rightsmanagement and, in particular, to devices and methods for enterprisedigital rights management

BACKGROUND

In general, organizations, such as government agencies, financialinstitutions and professional companies, store and process theirconfidential information in digital format. Such confidentialinformation may include product overviews, marketing plans, customerlists, and sales reports. In contrast to traditionally used printformat, the digital format has improved the efficiency of handling theconfidential information as well as maintaining its reliability.Organizations typically process the confidential information by sharingthe confidential information in form of digital files through protectedfile servers, and distributing such digital files via downloads or emailmessages.

However, such digital files make the confidential information morevulnerable to unauthorized parties as the digital files are typicallystored electronically on a central server within the organization, andexternal attackers or intruders may infiltrate into the organizationthrough the organization's network to access such digital files.Further, apart from external attackers, people inside the organization,such as company employees having access to confidential information, mayalso disclose confidential information to non-trusted parties, eitherunintentionally or deliberately. Industry research indicates thatleakage and theft of confidential information by internal attackerscauses more damage to organizations all over the world than securitybreaches by external attackers.

SUMMARY

This summary is provided to introduce concepts related to devices andmethods for enterprise digital rights management. These concepts arefurther described below in the detailed description. This summary is notintended to identify essential features of the claimed subject matternor is it intended for use in determining or limiting the scope of theclaimed subject matter.

In one implementation, a device includes a security module configured togenerate a security key. The security module encrypts at least onedocument of a user, using the security key, to generate a protecteddocument. Further, the device includes an access control moduleconfigured to assign an access right to one or more users within anenterprise for accessing the protected document. The access controlmodule is further configured to delegate the access right from the userto another user. The access control module is furthermore configured tolock at least one of the user and the protected document.

BRIEF DESCRIPTION OF THE DRAWINGS

The detailed description is provided with reference to the accompanyingfigures. In the figures, the left-most digit(s) of a reference numberidentifies the figure in which the reference number first appears. Thesame numbers are used throughout the drawings to reference like featuresand components.

FIG. 1 illustrates an enterprise digital rights management (eDRM)network environment implementing eDRM devices, in accordance with anembodiment of the present subject matter.

FIG. 2 illustrates components of an eDRM device, in accordance with anembodiment of the present subject matter.

FIG. 3 illustrates a method for protecting documents using the eDRMdevice, in accordance with an embodiment of the present subject matter.

FIGS. 4( a) and (b) illustrate methods for securely accessing protecteddocuments using the eDRM device, in accordance with an embodiment of thepresent subject matter.

DETAILED DESCRIPTION

The present subject matter relates to devices and methods for enterprisedigital rights management for protecting documents of an enterprise andcontrolling access to the protected documents. In one example, thedocuments may contain confidential information, such as productoverviews, marketing plans, customer lists, and sales reports in digitalformat.

Conventional techniques used for protection of the documents withinenterprise environment involve implementing password based encryptionsystems for securing the documents. However, the password basedencryption systems do not provide effective protection to the documentsof the enterprise, as passwords can be communicated orally or in awritten form to other users. In such scheme or any other schemes relyingexclusively on cryptography, there are no restrictions on actions thatunauthorized users can perform on the documents. Therefore, protectingthe documents using passwords or other cryptographic schemes makes thedocuments substantially vulnerable to unauthorized access.

Another conventional approach to protect the documents within theenterprise environment is to store the documents on a secured computer,thus making the documents accessible only to authorized personnel. Whenthe documents need to be duplicated or circulated, users seeking accesstypically follow secure administration procedures or policies to preventany unauthorized access. However, this approach is inadequate becausethe administration procedures are difficult to manage. Such proceduresrequire extensive training and enforcement, and may also be expensive toimplement and monitor. Also, these procedures are often ineffectivebecause it is cumbersome for people to review and modify the documentsstored on the secured computer. Therefore, people tend to work on thedocuments stored on their personal computing devices. However, once thedocuments leave the individual computing devices, the above mentionedsecured approach is no longer applicable and the administrationprocedures become ineffective.

To this end, devices and methods for enterprise digital rightsmanagement (eDRM) are described herein. The eDRM device described hereinenables users within an enterprise to protect the documents. Further,the eDRM device enables the users to control access to protecteddocuments even if the protected documents leave the eDRM devices of theusers. The users can be divided into assignors and assignees. Theassignors include document owners, temporary owners, and administrators,while the assignees can be any user in the enterprise. For the sake ofclarity, a brief explanation to differentiate the users within theenterprise is provided. The owners may be understood as users havingownership of at least one document and thus, the owner can protect thedocument, share the protected document with other users, and assignaccess rights to other users for accessing the protected documents, andcontrol access of the other users from accessing the protected document.Additionally, the owner can temporarily assign the ownership of theprotected documents to another user within the enterprise. The assigneesmay be understood as regular users or a group of users without ownershipof the protected documents. The administrators may be understood asusers having administrative powers to control and manage all the owners,assignees, and/or eDRM devices within the enterprise.

In an implementation, a plurality of eDRM devices communicates with aneDRM server. A plurality of users may use the eDRM devices to protectthe documents, access the protected documents, and/or manage theprotected documents. In an example, the users, such as owners, may usethe eDRM devices to protect the documents owned by them. The owners mayprotect the documents if the documents are required to be shared orcirculated to the other users. In said example, the owners may also usethe eDRM devices to access the protected documents owned by them orreceived from other users. In another example, users such as theassignees may use the eDRM devices to access the protected documentsreceived from owners and other assignees. In yet another example, theusers, such as administrators, may use the eDRM devices to protect thedocuments, access the protected documents, and/or manage the protecteddocuments within the enterprise. In addition to the protected documents,the administrators may also manage all the users and the eDRM deviceswithin the enterprise.

In an implementation, the eDRM devices may be equipped with a secureviewer interface for protecting the documents. In said implementation,one or more eDRM devices may also be equipped with an administrativeinterface for managing the protected documents, users, and/or other eDRMdevices. In an example, the regular users and the owners may bepresented with the secure viewer interface, while the administrators maybe presented with the administrative interface.

To protect the document, a user may browse and select the document to beprotected via the secure viewer interface of the eDRM device. Based onthe selection, the eDRM device encrypts the document using cryptographytechniques known in the art to generate the protected document. The userwill henceforth be considered the owner of the document.

Access to the protected documents may be defined and controlled by theowners and the administrators in the form of access rights. Examples ofthe access rights include, but are not limited to, a read access, awrite access, a copy access, and a print access. The access rightsenable the users to open the protected documents, make changes to theprotected documents, copy text, capture screen snapshots of theprotected documents, and print a hard copy of the protected documents.

In operation, based on the preferences of the assignor, the eDRM deviceassigns one or more access rights to any user within the enterprise.Such access rights define access of the users to the protected document.For example, the access rights may specify if a user has full access orlimited access to the protected documents. The users without an explicitaccess right over the protected document will be denied access.

In addition to defining access rights, the eDRM devices in communicationwith the eDRM server also provide other access control features, such asuser and document locking, assigning temporary ownership, and delegatingaccess rights.

The user locking feature enables the administrator to lock the users.Locking a user restricts the user from accessing the protecteddocuments. Further, locking the user at a time when a protected documentis open at an eDRM device may lead to immediate shut down of theprotected documents. It is to be understood that locking the user doesnot modify the existing access rights of the user. The same accessrights are available for the user when the user is unlocked by theadministrator.

The document locking feature enables administrators to lock anyprotected document. Further, the locking feature enables the users tolock any protected document which is owned by them. Locking theprotected document restricts the other users from accessing theprotected document, irrespective of the access rights the other usershold over the protected document.

The temporary ownership feature enables the owners to assign temporaryownership of their protected documents to another user. Further, thetemporary ownership feature enables administrator to assign temporaryownership of the protected documents of one user to another user withinthe enterprise. The temporary ownership may be assigned for certain timeperiod, and it expires at the expiry of such time period. The temporaryownership provides the user with all the access rights and authoritiesof the actual owner, except the authority to assign the temporaryownership and modify the time period of the temporary ownership.

The delegation of access rights feature enables the users having accessrights to the protected documents of the owner, to delegate all of theiraccess rights to another user within the enterprise. The user whodelegates the access rights to another user is referred to as adelegator, and the user who receives such delegated access rights isreferred to as a delegatee.

The eDRM device, therefore, enables the users within the enterprise toprotect the documents and implement a fine-grained access control overthe protected documents, even if the protected documents leaves thesecured eDRM devices of the user.

The manner in which documents of an enterprise are protected and accessto the protected documents is controlled is explained further inconjunction with FIGS. 1 to 4. While aspects of systems and methods maybe implemented in any number of different computing systems,environments, and/or configurations, the embodiments are described inthe context of the following exemplary system architecture(s).

FIG. 1 illustrates an enterprise digital rights management (eDRM)network environment 100, in accordance with an embodiment of the presentsubject matter. In said embodiment, the eDRM network environment 100includes an eDRM server 102. The eDRM server 102 may be implemented asany of a variety of computing devices, including, for example, a server,a workstation, and a mainframe computer. The eDRM server 102 is incommunication with a plurality of eDRM devices 104-1, 104-2, 104-3, . .. , 104-N, hereinafter referred to as the eDRM device(s) 104. The eDRMdevices 104 may be implemented as computing devices, such as a desktopPC, a notebook, and a portable computer.

The eDRM devices 104 are connected to the eDRM server 102 over a network106 through one or more communication links. The communication linksbetween the eDRM devices 104 and the eDRM server 102 are enabled througha desired form of communication, for example, via dial-up modemconnections, cable links, and digital subscriber lines (DSL), wirelessor satellite links, or any other suitable form of communication. In animplementation, the network 106 may be an enterprise network, includingpersonal computers, laptops, various servers, such as blade servers, andother computing devices.

Further, the network 106 may also be a wireless network, a wirednetwork, or a combination thereof. The network 106 can also be anindividual network or a collection of many such individual networks,interconnected with each other and functioning as a single largenetwork, e.g., the Internet or an intranet. The network 106 can beimplemented as one of the different types of networks, such as intranet,local area network (LAN), wide area network (WAN), the internet, andsuch. The network 106 may either be a dedicated network or a sharednetwork, which represents an association of the different types ofnetworks that use a variety of protocols, for example, HypertextTransfer Protocol (HTTP), Transmission Control Protocol/InternetProtocol (TCP/IP), etc., to communicate with each other. Further, thenetwork 106 may include network devices, such as network switches, hubs,routers, and Host Bus Adapters (HBAs), for providing a link between theeDRM devices 104 and the eDRM server 102. The network devices within thenetwork 106 may interact with the eDRM devices 104 and the eDRM server102 through the communication links.

In operation, the eDRM devices 104 receive requests from one or moreassignors, such as owners and administrators, to protect documents andcontrol access of other users to protected documents. In animplementation, the eDRM devices 104 may be configured with a secureviewer interface through which the owners browse and select one or moredocuments to be protected. Alternatively, the eDRM devices 104 may beconfigured with an administrative interface via which the administratorsbrowse and select one or more documents to be protected. The documentsmay contain confidential information in digital format.

Once the document to be protected is selected by the assignor, the eDRMdevice 104 generates two copies of a security key. The security key mayconsist of a cryptographic key and an initialization vector. In animplementation, the eDRM device 104 generates a unique security key forthe selected document. The eDRM device 104 saves one copy of thesecurity key onto the eDRM device 104 and sends another copy of thesecurity key to the eDRM server 102. It is to be understood that eDRMserver 102 may store the security key either internally within the eDRMserver 102, or externally within a repository associated with the eDRMserver 102. Once the security key is sent to the eDRM server 102, theeDRM device 104 retrieves a document identifier (ID) from the eDRMserver 102. Subsequently, the eDRM device 104 encrypts the selecteddocument using the security key alone or in combination with thedocument ID retrieved from the eDRM server 102 to generate a protecteddocument. It is to be understood that whenever the security key for thedocument to be protected is sent to the eDRM server 102, the eDRM server102 generates a document ID for the selected document and stores thesame within the eDRM server 102. Along with the document ID, the eDRMserver 102 also stores a user ID of the user whose document is to beprotected. The eDRM server 102 may store the user ID and document IDinformation, for example, in form of a user and document table.

In an implementation, the eDRM device 104 includes an access controlmodule 108 that controls access of the users to the protected document.In said implementation, the access control module 108 allows assignorsto assign one or more access rights to other users within theenterprise. Such access rights define access of the user to theprotected document. Examples of the access rights may include, but arenot limited to, rights to open, edit, copy, and print the protecteddocuments. In an example, if the owner wishes to share the protecteddocuments with other users within the enterprise, the owner may assignone or more access rights to the other users. In said example, same ordifferent access rights may be assigned to one or more users based onthe preferences of the assignor.

In addition to assigning access rights, the access control module 108may lock/unlock user based on locking instructions received from anadministrator. Also, the access control module 108 may lock/unlock thedocuments based on locking instructions provided by the owner and theadministrator. In an implementation, the administrators may use theadministrative interface via which the administrator provides lockinginstructions to the access control module 108, while the owners may usethe secure viewer interface using which the owner provides lockinginstructions to the access control module 108.

Further, the access control module 108 may delegate the access rights ofone user to another user. For example, if an owner grants open and copyrequest to an assignee, the assignee may further delegate the accessrights to another user. In such a scenario, the user who delegates theaccess rights is referred to as a delegator, and the user who receivessuch delegated access rights is referred to as a delegatee.

Furthermore, the access control module 108 may assign temporaryownership of the documents from one user to another user for certaintime period. For example, owners may temporarily assign the ownership oftheir documents to any other user within the enterprise if the owner isgoing on a leave. In said example, the owners may set the time periodtill which such ownership will remain active. Such temporary ownershipexpires at the expiry of the preset time period. The users withtemporary ownership are provided with all the access rights andauthorities of the owner, except authority to assign temporaryownership, and modify the time period of the temporary ownership.

FIG. 2 illustrates components of an eDRM device 104, according to anembodiment of the present subject matter. In said embodiment, the eDRMdevice 104 includes one or more processor(s) 202, a memory 204 coupledto the processor 202, and interface(s) 206.

The processor 202 can be a single processing unit or a number of units,all of which could include multiple computing units. The processor 202may be implemented as one or more microprocessors, microcomputers,microcontrollers, digital signal processors, central processing units,state machines, logic circuitries, and/or any devices that manipulatesignals based on operational instructions. Among other capabilities, theprocessor 202 is configured to fetch and execute computer-readableinstructions and data stored in the memory 204.

The interfaces 206 may include a variety of software and hardwareinterfaces, for example, interface for peripheral device(s) such as akeyboard, a mouse, an external memory, a printer, etc. Further, theinterfaces 206 may enable the eDRM device 104 to communicate with othercomputing devices, such as web servers and external databases. Theinterfaces 206 may facilitate multiple communications within a widevariety of protocols and networks, such as a network, including wirednetworks, e.g., LAN, cable, etc., and wireless networks, e.g., WLAN,cellular, satellite, etc. The interfaces 206 may include one or moreports to allow communication between the eDRM devices 104 and the eDRMserver 102.

The memory 204 may include any computer-readable medium known in the artincluding, for example, volatile memory such as static random accessmemory (SRAM) and dynamic random access memory (DRAM), and/ornon-volatile memory, such as read only memory (ROM), erasableprogrammable ROM, flash memories, hard disks, optical disks, andmagnetic tapes. The memory 204 also includes module(s) 208 and data 210.

The modules 208 include routines, programs, objects, components, datastructures, etc., which perform particular tasks or implement particularabstract data types. In one implementation, the modules 208 include asecurity module 212, the access control module 108, an authenticationmodule 214, and other modules 216. The access control module 108 furtherincludes an access assigning module 226, an access restricting module228, a locking module 230, an ownership module 232, and a delegationmodule 234. The other modules 216 may include programs or codedinstructions that supplement applications and functions, for example,programs in the operating system of the eDRM device 104.

The data 210, amongst other things, serves as a repository for storingdata processed, received, and generated by one or more of the module(s)208. The data 210 includes access control data 218, security data 220,authentication data 222, and other data 224. The other data 224 includesdata generated as a result of the execution of one or more modules inthe other modules 216.

The eDRM device 104, in accordance with the present subject matter,provides two levels of security to the documents within the enterprise.The eDRM device 104 achieves a first level of security by authenticatingthe identity of the user and encrypting the documents, usingcryptographic techniques, to generate the protected documents. Also, theeDRM device 104 achieves a second level of security by controllingaccess to the protected documents. The entire security procedureimplementing both the levels of security is explained in detail underthe following sections, viz., user authentication, document encryption,and access control.

User Authentication

In operation, the eDRM device 104 receives as login credentials from theuser. The login credentials may include, for example, a user ID and apassword. Based on the login credentials, the eDRM device 104authenticates the user. Such authentication may be performed usingauthentication techniques known in the art. For example, using existingLightweight Directory Access Protocol (LDAP) Directories, or digitalcertificate.

In operation, the authentication module 214 authenticates the user basedon the received login credentials. The authentication module 214performs such authentication by comparing login credentials entered bythe user with login credentials pre-stored in the authentication data222. If comparison indicates that the login credentials provided by theuser are correct, the user is authenticated and access to the eDRMdevice 104 is allowed. On the other hand, if the comparison indicatesthat the login credentials provided by the user are incorrect, the userauthentication fails and access to the eDRM device 104 is restricteduntil the correct login credentials are entered by the user. It is to beunderstood that the authentication data 222 is shown within the data 210for the purpose of clarity. However, such authentication data 222 mayalso be placed in an external repository associated with the eDRM device104. For example, the authentication data 222 may be stored in an LDAPserver (not shown), if the authentication is performed using LDAPDirectories.

Document Encryption

The eDRM device 104 may receive a document protection request from anauthenticated user for protecting a document. The eDRM device 104, forexample, may be equipped with the secure viewer interface via which theowners browse and select the documents to be protected. Once thedocument to be protected is selected by the user, the security module212 generates two copies of the security key. In an implementation, thesecurity module 212 generates the unique security key for each document.The security module 212 saves a copy of the security key security data220 and sends another copy of the security key to the eDRM server 102.Once the security key is sent to the eDRM server 102, the securitymodule 212 retrieves the document identifier (ID) from the eDRM server102. The security module 212 then encrypts the document using thesecurity key alone or in combination with the document ID retrieved fromthe eDRM server 102 to generate the protected document. It is to beunderstood that whenever the security key for the document to theprotected is sent to the eDRM server 102, the eDRM server 102 generatesa document ID for the document to be protected and stores the samewithin the eDRM server 102. Along with the document ID, the eDRM server102 also stores a user ID of the user whose document is to be protected.The eDRM server 102 may store the user ID and the document IDinformation, for example, in form of a user and document table.

In addition to the security key, the security module 212 may also storemetadata pertaining to the protected documents in the security data 220.Examples of meta data include, but are not limited to, magic number,file version number, encrypted security key, and document initializationvector.

The protected documents generated by the security module 212 may bethereafter distributed or shared with one or more other users within theenterprise. For example, the owner can share the protected documentswith other users via electronic mail and/or any file sharing methodknown in the art.

Access Control

The eDRM device 104 provides a first level of security to the documentsfrom unauthorized access by protecting the documents using cryptographictechniques. In addition, the eDRM device 104 further provides a secondlevel of security to the documents by allowing users to control accessto the protected documents and ensures that the confidential informationwithin the protected documents reaches only those parties who areaccountable for its application or implementation. In oneimplementation, the access is controlled by assigning one or more accessrights to the users if the protected documents need to be circulated tothe users. Further, the access is controlled by locking user/documents,delegating the access rights to other users within the enterprise, andassigning temporary ownership of the documents to another user if theowner is temporarily unavailable. The manner in which the access controlmay be achieved is explained in detail in the following subsections,viz., assigning access rights, locking user/document, and delegatingaccess rights.

Assigning Access Rights

The assignors, such as the owners and the administrators, may controlthe other users within the enterprise from accessing the protecteddocuments, by assigning one or more access rights to the other users. Inan implementation, the access rights include rights mentioned in Table 1below. It is to be understood that different types of access rightsdescribed in the Table 1 are only for the purpose of explanation andvarious other types of access rights may also be implemented. Forexample, rights to access the protected documents offline may also beimplemented.

TABLE 1 Access Right Description Open User can open a protecteddocuments Edit User can edit or modify data in the protected documentsCopy User can copy data from the protected documents and/or can takescreen snapshots of the protected documents Print User can print theprotected documents

In an implementation, different access rights may be assigned to one ormore users, such as the assignees or the other owners. For example, auser A may be provided with access right to open and print thedocuments, and another user B may be provided with access right to open,edit, and print the documents. In another implementation, same accessrights may be assigned to one or more users. For example, the users Aand B may be provided with access to open, edit, and print thedocuments.

In operation, the access assigning module 226 assigns one or more accessrights to a user or a group of users, based on preferences of theassignor having rights over the documents. The access assigning module226 stores information pertaining to the assignment of the access rightsin the eDRM server 102. In addition to assigning the access rights, theaccess assigning module 226 may also update the assignment of the accessrights, based on updation instructions from the assignor. The updationinstructions may include instructions for granting one or more newaccess rights to the users and revoking one or more previously grantedaccess rights to the user. Based on the updation instructions,assignment of the access rights is updated and access rights assignmentinformation in the eDRM server 102 is updated with the new access rightassignment information. In an implementation, the eDRM server 102 may beassociated with a repository for storing such access rights assignmentinformation. The repository may be an external repository associatedwith the eDRM server 102.

Delegating Access Rights

In addition to the access rights indicative above, right to delegate theaccess rights to other users may also be provided to the users.Therefore, the eDRM device 104 allows the users, having right todelegate the protected documents, to delegate all of the other accessrights they are holding to the other users within the enterprise. In anexample, if a user, such as the owner, has granted rights to open, editand print the documents to the assignee and if the assignee has right todelegate the access rights, the assignee may further delegate suchassign rights to another user within the enterprise. It is to beunderstood that the user who delegates the access rights is referred toas delegator, and the user who receives the delegated access rights isreferred to as delegatee.

In operation, the delegation module 234 delegates the access rightsbased on delegation information received from the delegator. Thedelegator specifies the delegatee to whom the access rights are to bedelegated. The delegation module 234 receives the delegation informationfrom the delegator and delegates the access rights of the delegator tothe delegatee. The delegation module 234, thereafter, stores thedelegation information in the eDRM server 102. The delegationinformation may include, for example, the document ID for which theaccess rights are delegated, the delegator ID, and the delegatee ID. Itis to be understood that the delegator ID is the user ID of the user whois delegating the access rights, and the delegatee ID is the user ID ofthe user who is receiving the delegated access rights.

Assigning Temporary Ownership

In an implementation, the eDRM device 104 allows the users to assigntemporary ownership of all the documents owned by the user to anotheruser for a certain time period. For example, the owners may assigntemporary ownership of the protected documents they own to any otheruser within the enterprise if the owner is going on a leave. In saidexample, the owners may set the time period till which such ownershipwill remain active. The user to whom a temporary ownership is assignedis known as a temporary owner. The temporary owner has all the rights ofthe owner, except the right to change the time period of the temporaryownership and to assign the temporary ownership to the other users. Inanother implementation, the eDRM device 104 allows the administratorswith administrative powers to assign the temporary ownership for oneuser to another user within the enterprise. In said implementation, theadministrators also have the administrative power to change the timeperiod of the temporary ownership.

In operation, the ownership module 232 assigns the temporary ownershipof the documents from one user to another user based on the ownershipassignment instructions. The ownership assignment instructions mayinclude, for example, a temporary owner ID, and time period for whichthe ownership is assigned. Subsequent to assigning the ownership, theownership module 232 stores the information related to assignment of thetemporary ownership, such as the temporary owner ID and the time periodfor which the ownership is assigned in the eDRM server 102.

It is to be understood that when the temporary ownership is active, thetemporary owner may enjoy the access rights of the owner. However, oncethe time period of the temporary ownership expires, the temporaryownership is disabled. However, the access rights that were assigned anddelegated to the temporary owner, if any, stay intact.

Locking User/Documents

In an implementation, the eDRM device 104 allows the administrators tolock any other user or the protected document. Further, the eDRM device104 allows the owners to lock any protected document which they own.Locking a user may be understood as preventing a user from accessing theprotected documents, irrespective of the access rights the users holdsover the protected documents. For example, if a user has access to openand edit the protected documents, and the user is locked by theadministrator, any access request from the locked user for accessing theprotected documents will not be entertained. In case the protecteddocuments have already been opened at the eDRM device 104, the user'saccess to the protected documents is forcefully terminated and an alertmessage, such as “user is locked” may be displayed to the user on theeDRM device 104. When the user is unlocked by the administrator, anyfurther access request by the user for accessing the protected documentsmay be accepted, if the user is holding the access rights, whethergranted or delegated. It is to be understood that locking the user doesnot modify the access rights of the user.

On the other hand, locking the protected document may be understood aspreventing any user from accessing the protected document, irrespectiveof the access rights the users are holding over the protected document.In the event that a locked protected document is already open at one ormore eDRM devices 104, the user's access to the protected document willbe forcefully terminated.

In operation, the locking module 230 locks the user and/or the protecteddocuments and stores locking information in the eDRM server 102. Thelocking information, for example, may include a user ID of the lockeduser, and/or document ID of the locked document. Such lockinginformation is stored in the eDRM server 102, along with the user ID anddocument ID information. In an implementation, the eDRM server 102stores the locking information in the user and documents table. Suchtables may contain a locking information field. The contents of thelocking information field indicate if the user ID or a documents ID islocked or unlocked.

The locking module 230 is configured to check such user and contenttable at predefined time intervals, for example every 30 seconds, todetermine if the user ID and/or the document ID is locked. If the userand content table indicates that the user ID or the document ID islocked, the already open documents will be forcefully shut down. Suchchecking of the locking information at regular intervals is referred toas polling mechanism.

It is to be understood that in addition to the access control featuresdescribed above, other access control features, such as transferringownership, time shifting portability, space shifting portability,platform shifting portability, etc., may also be implemented. For thesake of clarity a brief explanation of such additional features isprovided.

Transferring ownership: Permanently transferring ownership of thedocuments from one user to other user within the enterprise. Forexample, if a user leaves an organization, the ownership of the user maybe transferred to some other user within the enterprise.

Time shifting: Enabling the users to access the protected documents atthe time when they want to.

Space shifting portability: Enabling the users to freely access theprotected documents on any computing device they wants.

Platform shifting portability: Enabling the users to use differentoperating systems to access the protected documents.

FIG. 3 illustrates a method 300 for protecting documents using theenterprise digital rights management (eDRM) device 104, in accordancewith an embodiment of the present subject matter, and FIG. 4 a and FIG.4 b illustrate methods 400, 422 for securely accessing the protecteddocuments, in accordance with an embodiment of the present subjectmatter. The methods may be described in the general context of computerexecutable instructions. Generally, computer executable instructions caninclude routines, programs, objects, components, data structures,procedures, modules, functions, etc., that perform particular functionsor implement particular abstract data types. The methods may also bepracticed in a distributed computing environment where functions areperformed by remote processing devices that are linked through acommunications network. In a distributed computing environment, computerexecutable instructions may be located in both local and remote computerstorage media, including memory storage devices.

The order in which the methods are described is not intended to beconstrued as a limitation, and any number of the described method blockscan be combined in any order to implement the methods, or alternativemethods. Additionally, individual blocks may be deleted from the methodswithout departing from the spirit and scope of the subject matterdescribed herein. Furthermore, the methods can be implemented in anysuitable hardware, software, firmware, or combination thereof.

Referring to FIG. 3, the method 300 for protecting one or more documentsusing an enterprise digital rights management (eDRM) device initiates atblock 302, where a document protection request is received from theuser. In an implementation, the user, such as the owner may log into theeDRM device 104 with login credentials. The login credentials mayinclude a user ID, a password, and domain information. Based on thelogin credentials, the user is authenticated using authenticationtechniques known in the art. The authenticated user may access the eDRMdevice 104 for protecting the documents. In operation, the authenticateduser may send a content protection request to the eDRM device 104 byselecting the documents to be protected. A security module 212 withinthe eDRM device 104 receives such a document protection request of theuser.

At block 304, in response to the document protection request, the eDRMdevice 104 generates a unique security key. A copy of the security keyis saved on the eDRM device 104 and another copy of the security key issent to the eDRM server 102. The eDRM device 104 encrypts the documentusing the security key to generate a protected document.

At block 306, one or more access rights may be assigned to the users fordefining access of the users to the protected documents. Such accessrights may include, but are not limited to, rights to open, edit, copy,and print the protected documents. In an example, same or differentaccess rights may be granted to one or more users. In an implementation,an access assigning module 226 within the eDRM device 104 assign accessrights to the users within the enterprise based on the instructionsreceived from the assignor, such as the owner of the documents.

At block 308, a check is conducted to determine if any updation in theassignment of the access rights is required. Such updation, for example,may include adding new access rights, or revoking previously grantedaccess rights. If any updation is required (“Yes” Branch from block308), the access rights are updated at block 310, and the updated accessrights assignment information is stored in the eDRM server 102, at block312. On the other hand, if no updation is required (“No” Branch fromblock 308), the access rights assignment information is stored in theeDRM server 102, at block 312. In operation, an access assigning module226 updates the access rights, and store the updated access rightsassignment information in the eDRM server 102. It is to be understoodthat the eDRM server 102 may store the access rights assignmentinformation in an external repository associated with the eDRM server102.

The eDRM device 104, therefore, provides a two level security to thedocuments. Specifically, the eDRM device 104 provides a first level ofsecurity by encrypting the documents. Further, the eDRM device 104provides a second level of security by assigning one or more accessrights to the users within the enterprise for defining access of theuser to the protected documents. In an example, the assignors, such asthe owner of the documents, may provide instructions to the eDRM device104 to assign all the access rights or limited access rights to theother users within the enterprise. Once the documents are protected withthe encryption and access rights, the user may circulate or distributethe protected documents to other users.

FIG. 4 a and FIG. 4 b illustrates methods 400, 422 for securelyaccessing the protected documents, in accordance with an embodiment ofthe present subject matter.

FIG. 4 a illustrates a method 400 to control access of opening aprotected document, according to an embodiment of the present subjectmatter.

At block 402, an access request is received from a user for accessing aprotected document, where the access request is a document open request.The document open request may be understood as a request for opening aprotected document. In an implementation, the access control module 108within the eDRM device 104 receives the access request.

At block 404, upon receiving the access request, a check is made todetermine if the user making the access request is a locked user or thedocument for which access request is made is a locked document. Suchdetermination is made by accessing locking information stored in theeDRM server 102. It is to be understood that the eDRM server 102maintains a table containing user information, such as user ID, and adocuments information, such as a documents ID. Along with each user IDand documents ID, a locking information is also stored in the eDRMserver 102 in form of a locking field, which indicates if the user IDand/or the document ID is ‘locked’ or ‘unlocked’. If the determinationyields that at least one of the user and document is locked (“Yes”Branch from the block 404), the access request of the user is rejectedat block 406 and an error code or an alert message indicating that theuser and/or the documents is locked may be displayed to the user on theeDRM device 104. However, if the user or the document is not locked(“No” Branch from the block 404), a further determination is made forascertaining whether the user is an owner or not at block 408.

At the block 408, if the determination yields that the user is an owner(“Yes Branch from the block 408), all the access rights are retrievedfrom the eDRM server 102. In an implementation, the access controlmodule 108 retrieves all the access rights from the eDRM server 102 atblock 414. Further, the access control module 108 stores all theretrieved access rights in the access control data 218, within the eDRMdevice 104 at block 420. However, if the determination yields that theuser is not an owner (“No Branch from the block 408), a furtherdetermination is made to ascertain whether the user is a temporary owneror not at block 410.

The determination at block 410 is made from the temporary ownership datastored in the eDRM server 102. If the determination indicates that theuser is a temporary owner (“Yes” Branch at block 410), a further checkis performed at the block 412, to determine if time period of thetemporary ownership has expired. If the determination indicates that thetime period of the temporary ownership has not expired (“No” Branch fromthe block 412), the eDRM device 104 retrieves all the access rights fromthe eDRM server 102 at block 414. Further, the eDRM server 102 decryptsthe protected document and stores all the retrieved access rights in theaccess control data 218 at block 420. On the other hand, if thedetermination indicates that the time period of the temporary ownershiphas expired (“Yes” Branch from the block 412), the method step 416 isperformed.

If the check made at block 410 indicates that the user is not atemporary owner (“No” Branch at block 410), or if the user is found tobe a temporary owner, but the temporary ownership has expired (“Yes”Branch from the block 412), the access rights granted and delegated tothe user are retrieved from the eDRM server 102, if any, at block 416.Further, at block 418 a determination is made if the access requested bythe user, i.e., the document open request matches with any of theretrieved access rights. If the determination indicates that therequested access right matches with the retrieved access right (“Yes”Branch from the block 418), the eDRM device 104 decrypts the protecteddocument and stores the retrieved access rights in the access controldata 218. However, if the determination indicates that the requestedaccess right does not match with any of the retrieved access rights(“No” Branch from the block 418), the eDRM device 104 rejects the accessrequest of the user.

FIG. 4 b illustrates a method 422 to control access of one or more openprotected documents to a user, according to an embodiment of the presentsubject matter.

At block 424, an access request is received from the user, where theaccess request is one of the document edit request, document copyrequest, and document print request. In an implementation, the accessassigning module 226 receives the access request from the user.

At block 426, the access requested by the user is compared with theaccess rights of the user stored in the access control data 218. In animplementation, the access assigning module 226 compares the accessrequested with the access rights corresponding to the user stored in theaccess control data 218.

At block 428, a determination is made if the access requested matcheswith any of the access rights of the user stored in access control data218 (“Yes” Branch from the block 428), access request of the user isaccepted. Accepting the access request of the user means that the useris allowed to perform the access requested by the user. However, if thedetermination made at block 428 yields that the access requested by theuser does not matches with any of the access rights of the user storedin access control data 218 (“No” Branch from the block 428), accessrequest of the user is rejected at block 432. Rejecting the accessrequest of the user means that the user is restricted from performingthe access requested by the user. In an implementation, the accessrestricting module 228 restricts the user from performing the requestedoperation.

Although embodiments for enterprise digital rights management have beendescribed in language specific to structural features and/or methods, itis to be understood that the invention is not necessarily limited to thespecific features or methods described. Rather, the specific featuresand methods are disclosed as exemplary implementations for theenterprise digital rights management.

1. A device comprising: a processor; and a memory coupled to theprocessor, the memory comprising: a security module configured togenerate a security key, encrypt at least one document using thesecurity key, and generate a protected document based on the encryption;and an access control module configured to: assign at least one accessright to at least one user for accessing the protected document;delegate the access right from the user to an other user; and lock atleast one of the user, the other user, and the protected document. 2.The device as claimed in claim 1, wherein the access control module isfurther configured to: receive an access request from the user foraccessing the protected document; compare the access request with theaccess right associated with the user; and restrict the user fromaccessing the protected document based on the comparison.
 3. The deviceas claimed in claim 1, wherein the access control module is furtherconfigured to: receive an access request from the user for accessing theprotected document, wherein the access request is a request for openingthe protected document; determine if at least one of the user and theprotected document is locked; and restrict the user from accessing theprotected document based on the determination.
 4. The device as claimedin claim 1, wherein the access control module is further configured toascertain at predefined time intervals whether at least one of the userand the protected document is locked.
 5. The device as claimed in claim1, wherein the access control module is further configured to assigntemporary ownership of the protected document to the other user.
 6. Thedevice as claimed in claim 1, wherein the access control module isfurther configured to: receive an access request from the user foraccessing the protected document, wherein the access request is arequest for opening the protected document; ascertain whether at leastone of the user and the protected document is unlocked; determinewhether the user is an owner, if at least one of the user and theprotected document is unlocked; and decrypt the protected document andallow the user to access the protected document, based on thedetermination.
 7. The device as claimed in claim 1, wherein the accesscontrol module is further configured to: receive an access request fromthe user for accessing the protected document, wherein the accessrequest is a request for opening the protected document; ascertainwhether at least one of the user and the protected document is unlocked;determine whether the user has temporary ownership and a preset timeperiod of the temporary ownership has expired, if at least one of theuser and the protected document is unlocked; compare the access requestwith the access right associated with the user, based on thedetermination; and restrict the user from accessing the protecteddocument based on the comparison.
 8. A method of controlling access to aprotected document within an enterprise, the method comprising:receiving an access request by a user for accessing the protecteddocument, wherein the access request is a request for opening theprotected document; determining whether at least one of the user and theprotected document is locked; and rejecting the access request based onthe determining, wherein the rejecting comprises restricting the userfrom accessing the protected document.
 9. The method as claimed in claim8 further comprising: ascertaining whether the user has temporaryownership; further ascertaining whether a preset time period of thetemporary ownership has expired, if the user has temporary ownership;and determining whether the access request matches with at least one ofan access right granted and delegated to the user, if the preset timeperiod of the temporary ownership has expired.
 10. A computer-readablemedium having embodied thereon a computer program for executing a methodcomprising: receiving an access request by a user for accessing theprotected document, wherein the access request is a request for openingthe protected document; determining whether at least one of the user andthe protected document is locked; and rejecting the access request basedon the determining, wherein the rejecting comprises restricting the userfrom accessing the protected document.
 11. The computer-readable mediumas claimed in claim 10 further comprising: ascertaining whether the userhas temporary ownership; further ascertaining whether a preset timeperiod of the temporary ownership has expired, if the user has temporaryownership; and determining whether the access request matches with atleast one of an access right granted and delegated to the user, if thepreset time period of the temporary ownership has expired.